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(54) Self-protecting documents 

(57) A system and method tor the secure distribution 
of electronic documents reduces the likelihood of unau- 
thorized reproduction and redistribution by either au- 
thorized or unauthorized recipients. A self-protecting 
document (SPD) contains an encrypted document as 



well as a secure set of permissions and the software 
necessary to process the document; full decryption of 
the document is performed as late as possible so as to 
minimize the possibility of intercepting the document be- 
fore it has been fully rendered to screen or to paper. 
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Description 

rOOOl] The invention relates to document rights management, and more particularly, to a self-protecting document 
scheme that enables electronic document protection without the need for additional software or hardware support for 

foOtt] '°One of the most important issues Impeding the widespread distribution of digital documents via electronic 
commerce is the current lack of protection of the intellectual property rights of content owners during the distnbution 
and use of those digital documents. Efforts to resolve this problem have been temied 'Intellectual P^POrty 
Management' ('IPRM'), 'Digital Property Rights Management' ('DPRM'). 'Intellectual Property Management ( 1PM ). 

10 'Riqhts Management" ('RM'), and 'Electronic Copyright Management" ("ECM"). . . , ^. 

[0M31 A document, as the term is used herein, is any unit of information subject to distribution or transfer, including 
but not limited to correspondence, books, magazines, joumals. newspapers, other papers, software, photographs and 
other images, audio and video clips, and other multimedia presentations. A document may be embodied in pnnted 
form on paper, as digital data on' a storage medium, or in any other known manner on a variety of media 

IS [0004] In the world of printed documents, a work created by an author is usually provided to a publisher, which 
formats and prints numerous copies of the work. The copies are then sent by a distributor to bookstores or other retail 
outlets, from which the copies are purchased by end users. ^„,„„„„,e 
roOOSI While the low quality of copying and the high cost of distributing printed material have served as deterrents 
to the illegally copying of most printed documents, it is far too easy to copy, modify, and redistribute unprotected elec- 

20 tronic documents. Accordingly, some method of protecting electronic documents is necessary to make rt harder to 
illegally copy them. This will serve as a deterrent to copying, even if it is stHI possible, for example, to make hardcopies 
of printed documents and duplrcate them the old-fashioned way. . „ ^ -^i.»rih,..»H 

fOOOei With printed documents, there is an additional step of digitizing the document before it can be redistnbuted 
electronically, this sewes as a deterrent. Unfortunately, it has been widely recognized that there is no viable way to 

25 prevent people from making unauthorized distributions of electronic documents within current general-purpose com- 
puting and communications systems such as personal computers, workstations, and other devices connected over 
local area networks (LANs), intranets, and the Internet. Many attempts to provide hardware^ased solutions to prevent 
unauthorized copying have proven to be unsuccessful. 

[0007] Two basic schemes have been employed to attempt to solve the document protectran problem: secure con- 

30 tainers and trusted systems. . , „,o »„,.„mtoH 

[0008] A "secure container" (or simply an enc^ted document) offers a way to keep document contents encryp ed 
until a set of authorization conditions are met and some copyright terms are honored (e.g., payment for use). After tne 
various conditions and temis are verified with the document provider, the document is released to the user in clear 
form Commercial products such as IBM's Cryptolopes and InterTnjsfs Digiboxes fall into this category. Clearly, the 

35 secure container approach provides a solution to protecting the document during delivery over insecure channels, but 
does not provide any mechanism to prevent legitimate users from obtaining the clear document and then using and 
redistributing it in vtolation of content owners' intellectual property. ^•.„iK.,»a/< 
[00091 Cryptographic mechanisms are typical^ used to encrypt (or "encipher-) documents that are then distributed 
and stored publicly, and ultimately privately deciphered by authorized users. This provides a basic fomi o P^otec |on 

40 during document delivery from a document distributor to an intended user over a publfc network, as well as during 

document storage on an insecure medium. ,^^,„^m . o^ri wie 

[0010] In the "trusted system" approach, the entire system is responsible for .preventing unauthorized use and dis- 
tributton of the document. Building a trusted system usually entails introducing new hardware such as a secure pra:- 
essor, secure storage and secure rendering devices. This also requires that all software applications that ^ o" '^"^ ^d 
45 systems be certified to be trusted. While buiWing tamper-proof trusted systems is still a real challenge to exis ing 
technologies, current market trends suggest that open and untrusted systems such as PC's and workstations will be 
the dominant systems used to access copyrighted documents. In this sense, existing computing environments such 
as PC s and wori<stattons equipped with popular operating systems (e.g., Windows and UNIX) and render applications 
(e.g. , Microsoft Word) are not tnisted systems and cannot be made tmsted without significantly altering their architec- 

[0011] Accordingly, although certain trusted components can be deptoyed. one must continue to rely upon various 
unknown and untrusted elements and systems. On such systems, even if they are expected to be secure, unanticipated 

bugs and weaknesses are frequently found and exploited „„,onH 

r0012] There are a number of issues in rights management: authentication, authorization, accounting, payment and 
55 financial clearing, rights specification, rights verlficatton. rights enforcement, and document protection. Document pro- 
tection is a particularly important issue. After a user has honored the rights of the content owner and has been permitted 
to perform a partteular operation with a document (e.g.. print it. view it on-screen, play the music, or execute the 
software) the document is presumably in-thenjlear. or unencrypted. Simply stated, the document protection problem 
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is to prevent the content ownei^s rights from being compromised when the document is in its '^I^J^^^'f^^^^^^ 
stored in the clear, on a machine within the user's control. Even when documents are securely delivered (tyP'caJV ^ 
?,^^ptrdton^)fromadi^^^^ 

^3rwise manipulate the document. Accordingly, to achieve the highest level of protection, rt .s 'mpor^^nt « 
s Ld^rentcontentsasmuchaspossiblewhllerevealingthemtotheuseralatete^^^^ 

to recover into a useful form. 

[00131 in the known approaches to electronic document distribution that employ encryption, an ^"'^'W doc^^^^^^ 
s rendered in several separate steps. First, the encrypted document is received by the user 
his private key (in a publte key cryptosystem) to decrypt the data and derwe the document's c^ "^^^^^^ 
10 cJr contentis then'passed on to a rendering applteation. whfch t«nslates the '^'"P'^^^'l^^^^^^ 
finished document, either for viewing on the user's computer screen or for prmting a '^f,'*°PfJ^^« 
required for rendering because, In most cases, the rendering application is a third-party product (such as r^cro«,tt 

Word or Adobe Acrobat Reader) that requires the input document to be In a specific format^lt ^^1°:']^^^^^^ 
then, that between thesecond and third steps, the previously protected documentis vulnerable. I^hasbee^^^^ 

,5 but te still stored in clear electronic form on the user's computer. If the user is careless or ^ ^^^^^ ^^^^c^^^^^^^ 
minimize fees, the document may be easily redistributed without acquiring the necessary pemnissions from the content 

mu\ Accordingly, It would be beneficial to provide an electronic document distribution scheme that minimizes the 
disadvantages of known systems. Such a scheme would prevent users from obtaining a useful fomi of an electronically- 
eo distributed document during the decryption and rendering processes. ^ ^. ^ , .„f,h»onr„ 

[0015] The present self-protecting document ("SPD') is not subject to the above-stated disadvantages o he p^^^^ 
art By combining an encrypted document with a set of pemtissions and an executable code '^Snient ttet inc u^^^ 
mostithesoftwLnecessarytoextractand use theencrypted document, the seH-protectingdo^^^ 

protection of document contents without the need for additonal hardware and software. 

25 100161 The SPD system is broken down between a content creator (analogous to the author and the publisher of the 
radltlonal model) and a content distributor. The author/publisher creates the original ^ 
rights are to be permitted. The distributor then customizes the document for use by various users, ensunng via the 
customization that the users do not exceed the permissions they purchased. «„hodimant 
[001 7] At the user's system, the self-protecting document Is decrypted at the last possible moment. In an embodimert 

so invention, vartous rendering facilities are also provided within the SPD. so that the use of t e SPD need not ely 
upon external application that might not be trustworthy (and that might invite unauthorized use). In f a"«;"f ^^^"J 
bodiment, Interfaces and protocols are specified for a thlrd^jarty rendering application to interact with the SPD to 

'Cne emSent of the invention, the encrypted document Is decrypted by the user's system while sirnul- 
3S aneously"polarizing-itwnhakeythatlsdependent.atleastinpart.onthestateoftheuser'ssys^^^ 

r^rbe cryptographically less secure than the encryptton used for distribuUon. but serves to deter casua^oPV'ng. ^ 
this embodiment, depolarization is perfomted durmg or after the rendering process, so as to cause any mlemtediale 
form of the document to be essentially unusable. 

FIGURE 1 is a top-level block diagram representing a model for the creatkjn and commercial distribution of elec- 
tronic documents in either secure or Insecure environments; 

FIGURE 2 is a flow diagram illustrating the decryption of protected electronic documents according to the art. 
FIGURE 3 Is a flow diagram illustrating the decryption of protected electronic documents according to a simple 

embodiment of the invention; ^ ^r^iarrftH 

FIGURE 4 is a flow diagram illustrating the decryption of protected electronic documents according to a preferred 

embodiment of the invention; . w^^^t^tirtn Ho/^.imont ae- 

FIGURE 5 is a functional block diagram illustrating the data stmctures present in a self-protecting document ac 

cording to an embodiment of the invention; . ^ ^^^rAi^,^ ^r^ 

FIGURE 6 is a flow diagram illustrating the creation and customization of a selfi)rotecting document according to 

60 an embodiment of the Invention; u««^i;«« onH iicinn « 

FIGURE 7 is a flow diagram, from a user's perspective, illustrating the actions performed in handling and using a 
self-protecting document according to the invention; ^ ^ ^ •^HH^.nmont onH 

FIGURE 8 is a graph illustrating several possible paths between an unrendered and encrypted document, and 
rendered and decrypted presentation data; ^. i^r-^ot 

55 FIGURE 9 is a flow diagram illustrating a polarization process according to the invention in which document fomiat 
information remains in the clear for rendering. 
[0019] Figure 1 represents a top-level functional model for a system for the electronic distribution of documents, 
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which as defined above, may include correspondence, books, magazines, journals, newspapers, other papers, sott- 
ware. audio and video clips, and other multimedia presentations. 

[0020] An author (or publisher) 110 creates a document's original content 11 2 and passes it to a distributor 114 for 
distribution Although it is contemplated that the author may also distribute documents directly, without involving another 
5 party as a distributor, the division of labor set forth In Figure 1 is more efficient, as it allows the author/publisher 1 10 to 
concentrate on content creation, and not the mechanical and mundane functions taken over by the distnbutor 114. 
Moreover, such a breakdown would allow the distributor 11 4 to realize economies of scale by associating with a number 
of authors and publishers (including the illustrated author/publisher 110). 

[0021] The distributor 114 then passes modified content 116 to a user 118. In a typical electronic distribution model, 
10 the modified content 116 represents an encrypted version of the original content 112; the distributor 114 encrypts the 
original content 112 with the user 118's public key, and nrKxJified content 116 is customized solely for the single user 
1 1 8. The user 1 1 8 is then able to use his private key to decrypt the modified content 11 6 and view the onginal content 
112 

[0022] A payment 1 20 for the content 1 1 2 is passed from the user 1 1 8 to the distributor 1 1 4 by way of a clearinghouse 

IS 122 The clearinghouse 122 collects requests from the user 118 and from other users who wish to view a particular 
document The clearinghouse 1 22 also collects payment information, such as debit transactions, credit card transac- 
tions or other known electronic payment schemes, and fonwards the collected users' payments as a payment batch 
1 24 to the distributor 1 1 4. a course, it is expected that the clearinghouse 1 22 will retain a share of the user's payment 
120 In turn the distributor 114 retains a portion of the payment batch 124 and fonwards a payment 126 (including 

20 royalties) to the author and publisher 11 0. In one embodiment of this scheme, the distributor 114 awaits a bundle of 
user requests for a single document before sending anything out. When this is done, a single document with modified 
content 116 can be generated for decryptton by all of the requesting users. This technique is well-known in the art. 
[0023] In the meantime, each time the user 1 1 8 requests (or uses) a document, an accounting message 1 28 is sent 
to an audit sender 1 30. The audit sen/er 1 30 ensures that each request by the user 118 matches with a document sent 

25 by the distributor 1 1 4; accounting information 1 31 is received by the audit sen/er 1 30 directly from the distributor 11 4. 
Any inconsistencies are transmitted via a report 132 to the clearinghouse 122. which can then adjust the payment 
batches 124 made to the distributor 114, This accounting scheme Is present to reduce the possibility of fraud in this 
electronic document distribution model, as well as to handle any time^dependent usage permissions that may result 
in charges that vary, depending on the duration or other extent of use. 

30 [0024] The foregoing model for electronic commerce in documents, shown in Figure 1 . is in common use today As 
will be shown in detail below, it is equally applicable to the system and method set forth herein for the distribution of 
self-protecting documents. ^ , * • 

[0025] Turning now to Figure 2. the steps perfomned by the user 118 (Figure 1) in a prior art system for electronic 
document distribution are shown. As discussed above, cryptographic mechanisms are typically used to encipher doc- 

35 uments. Those encrypted documents are then distributed and stored publicly and deciphered privately by authorized 
users. This provides a basic form of protection during document delivery from a document distnbutor to an intended 
user over a public network, as well as during document storage on an insecure medium. 

[0026] At the outset, an encrypted document 210 is received by the user 118 and passed to a decryption step 212. 
As is well known in the art. the decryption step 21 2 receives the user 118's private key. whteh Is stored locally at the 
40 user's computer or entered by the user when needed. The document 210 is decrypted, resulting in clear content 216 
similar or identical to the original content 112 (Figure 1 ). . ^ ♦ oon 

[0027] The clear content 216 is passed to a rendering application 218. which constructs presentation data 220. or 
a usable version of the document's original content 112. In typical systems of this kind, the presentatton data 220 is 
data immediately suitable for display on a video screen, for printing as a hardcopy or for other use depending on the 

45 document type. . 

[0028] As discussed above, the document is vulnerable in systems like this. The clear content 21 6 can be copied, 
stored, or passed along to other users without the knowledge or consent of the distributor 114 or the author/publisher 
110 Even a legitimate user may be tempted to minimize the licensing fees by capturing the document in the clear in 
order to redistribute and use it at will, without honoring the intellectual property of the content owners. As discussed 

60 above, the present invention is directed to a scheme for preventing such a user from obtaining a useful form of the 
document during the rendering process on the user's system. 

[0029] Accordingly, the system and method of the present inventton sets forth an alternative scheme tor handling 
encrypted documents at the user 118's system. A simple embodiment of this scheme is illustrated in Figure 3. 
[0030] Figure 3 looks similar to Figure 2. in that an encrypted document 310 Is passed to a decryption step 312 
55 (which uses a private key 314) and a rendering application 316. resulting in presentation data 318. However an addi- 
lional layer of protection is provided by a protecting shell 320. The protecting shell 320 allows the document 3 0 to be 
decrypted and rendered without ever leaving clear content (as in the clear content 216 of Figure 2) available to be 
Intercepted This is accomplished by including decryption and rendering elements within the document 310. as will be 
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described below with reference to Figure 5. The included decryption and rendering elements are adapted to limit the 
user's interaction with the SPD. prohibiting certain operations (such as saving the document or perfomiing cut-and- 

paste operations) according to the user's permissions. 

[00311 Figure 4 is a more sophisticated version. The scheme of Figure 4 includes an Intermediate polarization step 
adapted to secure the document after it has been decrypted but before it is rendered. First, the encrypted document 
contents 41 0 are passed toa polarizer 412. The polarizer 412 receives the user's private key 41 4 and. va a decryptran 
step 416, decrypts the document contents 410. Concurrently, the polarizer 412 receives a polarization key 418 from 

the user's system. . . . i.^,^ 

[00321 This polarization key 41 8 is used by the polarizer 41 2 to transf om^ the document to a version having poianzea 
contents 420. All of these operations can take place in the open, without any kind of protective mechanism. provkJed 
the polarizer 412 does not store a clear version of the document between decrypting it and polarizing it. 
[00331 In one embodiment of the inventfon, the polarizatkxi key 418 represents a combination of data elements taken 
from the user's system's internal state, such as the date and time of day. elapsed lime since the last keystroke, the 
processor's speed and serial number, and any other infomiation that can be repeatably derived from the user's system 
It is useful to include some time-derived information in the polarization key 418 so that interception and seizure of 
polarized contents 420 would not be useful. Further rendering of the polarized document would not be possible, as the 
system time wouW have changed too much. 

[0034] Then, once again within a protecting shell 422. the polarized contents 420 are passed to a rendenng appli- 
cation 424 As discussed above, typical rendering applications are third-party applicatksns such as Microsoft Word or 
Adobe Acrobat Reader. However, it is likely that such external rendering applicattons will not be able to process the 
polarized contents 420. as the contents, any formatting codes, and other cues used by the renderer will have been 

scrambled in the polarization process. 

[0035] Hence, the rendering application 424 must be commutative (or at least fault-tolerant), or it must receive po- 
larized contents 420 that are largely complete and processable by the applicatton. The latter possibility will be discussed 

below, in connection with Figure 9. ..... j u .u., 

[0036] The output of the rendering application is polarized presentation data 426, which has been formatted by the 
rendering appltoation 424 but is still polarized, and hence not readable by the user. The polarized presentation data 
426 is passed to a depolarizer 428. which receives the polarization key 418 and restores the onginal form of the 
document as presentation data 430, In one embodiment of the invention, the depolarizatron function is combined with 
the rendering or display function. In this case, the polarized presentatfon data 426 is received directly by a display 
device which can be separate from the user's system and receive data over a communications channel. 
[0037] Creation of the polarizatton key 418. the rendering appltoation 418. and the depolarization step 428 are all 
elements of the protecting shell 422; these are tamper-resistant program elements. It is contemplated that all compu- 
tational steps that occur within the protecting shell 422 will use local data only, and will not store temporary data to any 
globally accessible storage medium or memory area; only the explicit results will be exported from the protecting shell 
422. This approach will prevent users from easily modifying operating system entry points or scavenging system re- 
sources so as to intercept and utilize intermediate data. 

[0038] It should be noted that the presentation data 430 of Figure 4. in alternative embodiments of the invention, can 
be either device independent or device dependent. In the device-independent case, additkxial processing by a device 
driver (such as a display driver or a printer driver) typically is necessary to complete the rendering process. In the 
presently preferred devtee-dependent case, the device-specifte modifications to the presentation data have already 
been made (either in the rendering appltoatton 424 or the depolarizing step 428). and the presentation data 430 can 
be sent directly to the desired output device. 

[0039] The decryption schemes described with reference to Figures 3 and 4 above are enabled by a unique document 
structure, which is shown in detail In Figure 5. As discussed above, certain operations performed by the system and 
method ol the invention require trusted components. One way to ensure that certain unmodified code is bemg used to 
perform the trusted aspects of the inventton is to provide the code along with the documents. The various components 
of a sell-protecting document according to the inventton are illustrated in Figure 5. 

[0040] The problem of document protection is approached by the inventfon without any assumptions on the presence 
of trusted hardware units or software modules in the user's system. This is accomplished by enhancing a documen 
to be an active meta-document object. Content owners (i.e., authors or publishers) attach rights to a document that 
specify the types of uses, the necessary authorizattons and the associated fees, and a software module that enforces 
the permisstons granted to the user. This combination of the document, the associated rights, and the attached software 
modules that enforce the rights is the self-protecting document CSPD") of the invention. A self-protecting document 
prevents the unauthorized and uncontrolled use and distribution of the document, thereby protecting the rights of the 
content owners. 

[0041] The self-protecting document 510 includes three major functional segments: an executable code segment 
512 contains certain portions of executable code necessary to enable the user to use the enciypted document; a rights 
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and permissions segment 514 contains data structures representative of the various levels of access that are to be 
permitted to various users; and a content segment 516 includes the encrypted content 116 (Figure 1 ) sought to be 

viewed by the user . 
[0042] In a preferred embodiment of the invention, the content segment 516 of the SPD 510 includes three subsec- 
tions- document meta-information 51 8 (including but not limited tothe document's title, format, and revision date), rights 
label infomiation 520 (such as a copyright notice attached to the text, as well as rights and permissions infomiation). 
and the protected content 520 (the encrypted document itself). 

[0043] In one embodiment of the invention, the rights and permissions segment 514 includes information on eacn 
authorized user's specific rights. A list of terms and conditions may be attached to each usage right. For example, user 
John Doe may be given the right to view a particular document and to print it twice, at a cost of $10. In this case, the 
rights and permissions segment 51 4 identifies John Doe. associates two rights with him (a viewing nght and a printing 
right), and specifies teims and conditions including the price ($10) and a limitation on printing (twice). The nghts and 
permissions segment 514 may also include information on other users. 

[0044] in an alternative embodiment, the rights and permissions segment 514 includes only a link to external Infor- 
mation specifying rights information, in such acase. the actual rights and permissions are stored elsewhere, for example 
on a networked permission sewer, whteh must be queried each time the document is to be used. This approach provides 
the advantage that rights and permissions may be updated dynamically by the content owners. For example, the price 
for a view may be increased, or a user's rights may be terminated if unauthorized use has been detected. 
[0045] In either scenario, the rights and permissions segment 514 is cryptographically signed (by methods known 
in the art) to prevent tampering with the specified rights and pemnissions; it may also be enciypted to prevent the user 
from directly viewing the rights and permissions of himself and others. 

[00461 The executable code segment 512. also called the "SPD Control." also contains several subsections, each 
of which comprises a software module at least partially within the executable code segment. In one embodiment of 
the invention, the Java programming language is used for the SPD Control; however, it is contemplated that any plat- 
form-independent or platform-specific language, either interpreted or compiled, can be used in an implementation of 

this invention. ^ ^. ... ,^,t,««- 

[0047] A rights enforcer 524 is present to verify the users Wentity. to compare a requested action by the user to those 
actions enumerated in the rights and pemilssions segment 51 4. and to permit or deny the requested action depending 
on the specified rights. The operation of the rights enforcer 524 will be discussed in further detail betovn in connection 

with Figure 7. u , 

[0048] A secured polarization engine 526 is also present within the executable code segment 51 2; it sen/es to reaa 
and polarize the data according to the system state (or other polarization key) as discussed above. In a preferred 
embodiment of the invention, the polarization engine 526 acts upon the document before it is stored or decrypted, so 
the document is never stored in the clear on the user's system. The polarization engine 526 is secured, that is. it is 
cryptographically signed and encrypted, to prevent tampering, reverse-engineering, and disassembling. 
[0049] A counterpart depolarization engine 528 is also included to enable the generation of clear presentation data 
from the polarized content (see Figure 4). The depolarizalton engine includes a set of secure window objects providing 
a relatively tamper-proof interface to the rendering API (application program interface) of the user's system. The secure 
window objects are resistant to being intercepted, thereby reducing the possibility that the document, in its clear form, 
can be reconstructed by intercepting and receiving the data intended for the operating system. 
rOOSOl A counterpart depolarization engine 528 is also included to enable the generation of clear presentation data 
from the polarized content (see Figure 4). The depolarizatton engine 528 provides a relatively tamper-proof interface 
to the togical or physical output device (e.g.. the user's display device). The input to the depolarization engine 528 is 
polarized presentation data. Therefore, if that data is intercepted, it will not reveal any of the clear content without 
further depolarization which depends on, for example, the user's system state. 

[0061] A secure viewer 530 is optronally included in the executable code segment 512. The secure viewer 530 is 
used to permit only those levels of access that are permitted according to the rights and pemiissions segment 514. 
For example if the user purchased only sufficient rights to view a document (and not to save or print it), the viewer will 
not permit the user to save, print, or perform the standard cut-and-paste operattons possible in most modem operating 

rOoSr Finally, a rendering engine 532 is included or referenced within the executable code segment 512. The ren- 
dering engine 532 need not be secure. Accordingly, the code for the rendering engine 532 can be included within the 
SPD applet, or alternatively retrieved (via a secure link) from some other kwation. In either case, the rendering engine 
532 is adapted to receive polarized document contents and produced polarized presentatkxi datatherefrom (see Figure 

[0053] The foregoing aspects and elements of the self-protecting document 510 will be discussed in further detail 
below, in coniunctton with the operation of the system. .._ . ^ , 

[0054] Figure 6 shows the steps performed when a self-protecting document 51 0 is created and distributed. A genenc 
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SPD 610 includes no user-specific rights information and is not encrypted for any particular user. The generic SPD 
610 is created from three items: the original document content 612. in clear (unencrypted) form; a high-level nghts 
specification 614; and an optional watermark 616. 

roOSSl The content 61 2 is pre-processed (step 61 8) to lay out the document as desired by the author or publisher 
s For example, a preferred page size. font, and page layout may be selected. The content 61 2 is essentially 'P'^^^^' 
dered" in the content pre-processing step so that It will be in a format that Is compatible with users' systems and the 
SPD For example, the content 61 2 may be converted from Microsoft Word ('.DOC') or Adobe Acrobat ('.PDF') format 
to a different format specially adapted to be read by the rendering engine 532 (Figure 5). In one embodiment of the 
invention, multiple versions of the content 612 are generated by the content pre-processing step and stored in the 
10 generic SPD 610; those different versions may then be separately purchased by the user according to his needs. 
[00561 The high-level rights specification 614 sets forth what combinations of access rights are permissible. Such a 
rights specification istaitoredtoaparticular document, and is capable of describing differentgroups of rights for different 

classes of downstream users. For example, a publisher may be given the right to distribute up to 100,000 copies of a 
document at a $1 .00 per copy royalty, with additional copies yielding a $2.00 royalty. Similariy. users may be given the 
IS option to purchase a version of the document that "times ouf after one month, one year, or never. Several possible 
limitations are described with reference to a detailed example, which is set forth below. 

[0057] Digital Property Rights Language (DPRL) is a language that can be used to specify rights for digital worio. It 
provides a mechanism in which different terms and conditions can be specified and enforced for rights. Rights speci- 
fications are represented as statements in DPRL. For details, see, for example, U.S. Patent No. 5.715.403 to Stefik. 

20 entitled "System for Controlling the Distribution and Use of Digital Works Having Attached Usage Rights Where the 
Usage Rights are Defined by a Usage Rights Grammar.' Enforcement of rights and verification of conditions associated 
with rights is performed using the SPD technology. „,«ri, 
[0058] Different rights can be specified for different parts of a digital wortc using a 'work" specification. Within a work 
specification, different sets of rights applicable to this woric are specified. Rights can be grouped into named-groups 

2S called "rights groups". Each right within a rights group is associated with a set of conditions. Conditions can be of 
different types: lee to be paW, time of use. type of access, type of watermark, type of device on which the operation 
can be performed, and so on. DPRL allows different categories of rights: transfer, render rights, derivative work rights, 
file management rights and configuration rights. Transport rights govern the movement of a work from one repository 
to another. Render rights govern the printing and display of a work, or more generally, the transmission of a work 

30 through a transducer to an external medium (this includes the "export" right, which can be used to make copies in the 
clear) Derivative work rights govern the reuse of a work in creating new works. File management nghts govern making 
and restoring backup copies. Finally, configuration rights referto the installation of software in repositones.{XE nghts. 



categories of'} 

[0059] An exemplary work specification in DPRL is set forth bekiw: 
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(Rights-Language-Version: 1 .02) 
(Worl<-IO: "ISDN-l-SSSeO-iee-X; AAP-2348957tut") 
(Description: "Title: Zuke-Zack. the Moby Dog Story" 
Author: 'John Beagle* 
Copyright 1994 Jones Publishing") 
(Owner: (Certificate: 

(Authority: "Library of Congress") 
(ID: "Murphy Publishers"))) 
(Parts; "Photo-Celebshots-Dogs-23487gfj'' "Dog-Breeds-Chart-AKC") 
(Comment: "Rights edited by Pete Jones. June 1996.") 
(Contents: (From: 1) (To: 16636)) 
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(Rights-Group: "Regular" 

(Comment: "This set of rights is used for standard retail editions.") 
(Bundle: 

(Time: (Until: 1998/01/01 0:01)) 

(Fee: (To: "Jones-PBLSH-18546789")(House: "Visa"))) 

(Play: 

(Fee: (Metered: (Rate: 1.00 USD) (Per. 1:0:0) (By: 0:0:1)) )) 

(Print: 

(Fee: (Per-Use: 10.00 USD)) 
(Printer: 

(Certificate: 

(Authority: "DPT 

(Type: "TrustedPrinter-6"))) 

(Watermark: 

(Watermark-Str: "Title: 'Zeke Zack - the Moby Dog* 
Copyright 1994 
by Zeke Jones. 
All Rights Reserved.") 

(Watermark-Tokens: user-id institution-location 

render-name render-time) ))) 

(Transfer: ) 

(Copy: (Fee: (Per-Use: 10.00 USD) )) 

(Copy: (Access: 

(User: (Certificate: 

(Authority: "Murphy Publishers") 
(Type; "Distributor))))) 

(Delete:) 
(Backup:) 

(Restore: (Fee: (Per-Use: 5.00 USD))) )) 



10060] This work specification has a rights group called -Regular." which ^P^'^'A^V^^.S '^^^^^^^^^^^^ 

of a book titled -Zuke-Zack. the Moby Dog Story." The work specification expresses conditions for several rights, play, 
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print transfer, copy, delete, backup, and restore. The work in the example .ncludes two other parts, a Phol-J^h and 
aThart of breeds incorporated from other sources. A -bundle' specification bundles a set of common cond,t«ns mat 
LdC to all rights n the group. This specification states that ail rights in the group are valkJ until January 1. 1998 and 
That me trshould be paid to account •Jones-PBLSH-18546789- The clearinghouse for this ^1^'^^'°^^;^^*^ 
Vi^ ThefoltoSng contract applies: the work can be played by paying $1 .00 every hour, where fee "f ^""'""•^^f 
iTsecTnd be printed on TrustedPrinter^ which is certified by "DPT- for a fee of $10.00 per pr.nt. the 

pladCthorha'awa'ermarkstringlasdepicted)^^ 

at the time it is printed; this work can be copied either by paying $10.00 or ''V ^.'^^ "^^^^^ 

Murphy publishing; and unrestricted transfer, deletion or backing up of this work .s pemiitled (^^storation wsts $5^OT). 
raS ?he high-level rights specification 61 4 is also subject to a pre-processing step (stop 620), .n which the h.gh- 
S.e. JhurrT-^dabte) specification is compiled into a more^fficient data structure representation for use by the 

SrTne generic SPD 610 is then created (step 622) by combining the pre-processed 612Jhe pre-proc^ 

Srights specification 61 4, and the watermark 616. A watermark may be added by any 
mi be either visible or concealed within the SPD. The generic SPD 610 may also optwnally be enc^ted by the 
author/publisher 110 fortransmisston to the distributor 114 (Figure 1). ..w ...=t«m,7atinn When a 

r00631 The generic SPD 610 is then received by the distributor 114. and is stored for later customization. VVhen a 
request 624 is received by the distributor 114 (erther directly or through the clearinghouse 122 or other uiterme- 
dai)Teds^^^^^^ 

aSie rights specification 614. If there is no such consistent set of pemnissions. then no further action is pertomied 
on that user's behaH (other than an opttonal notification message to the user). ^^^tamized SPD 

[0064] The user permissions and the user's public key 628 are then used to generate (step 630) a ^"f "^^^ ^^^^^ 
632 adapted to be used by the user. The user permisstons f«)m step 626 are stored in "9^^»« ^"f P/„^"„^'°?! 
segr^ent 51 4 of the SPD 632. and the user's publte key 628 is used to encrypt the content in the content segment 51 6 
2S o??he SPD 632. A publfc-key encryption mechanism can be used to transform the SPD from the generu: form to ttie 
cus^irlS) SPD 6?2. Such a mechanism is useful if the SPD has to be confidentially '^^^"^^''^T^^^ZZ 
part^ e g author to publisher to retailer to consumer, with rights protectton at each stage. It should '"^he be noted 
mat mult!S user requests can be composed and accommodated within a single SPD 632; there are techniques know^^ 
In me art?hat are capable of using multiple public keys to encrypt a document such that any of the users' prorate keys 

" [^esl TersScustom SPD 632 is then transmitted to the user 118 by any ayai^ble means, such as via a 
comouter network or stored on a physksal medium (such as a magnetic or optical disk). 
S V^lTperation^ performedlhen a user receK^es an SPD are depicted in the flow ^^S"^- ^^'^^^^^^^^^ 
SPD is first received and stored at the user's system (step 710); in many cases, it .8 not necessary to use the SPD 
right aUrWhen usage is desired, the user is first authenti^^^^ 
SlyTesTimthendetermines What action isdesired by the user(slep714).Wh^^ 

Tn oiernenTstep of the invention (step 716) ver»ies the condKtons associated with the f ^^^^^^^^^^^ 
fee, time, level of access, watennark. or other condftions); this can be performed locally via the SPD applet 51 2 (Figure 
5) or by accessing a rights enforcement sen/er. Tha near mav 

[60671 If the rights enforcement step (step 716) fails, an update procedure (step 718) ^^''^^''^^'^''^J^^.^^'^ 
SkSL to update his permissions, for example by authorizing additional fees. After the '^'f^f^^^^^'T.^J^^ 
Sions, a pre-audit piScedure (step 718) is performed, in which the SPD system logs -"^catK^n ^^^^^ uac -9 
sen/ice (e a the audit server 130 of Figure 1). The content is then securely rendered to the screen (step 722) as 
dLcussed above viSen the user is finished, a post-audft procedure (step 724) Is perfom^ed in which the amount of 
45 usage is updated with the tracking service. The SPD system then awaits further action. Hoeument 
rooen The Drotection yieWed by the SPD is derived from the usei^s inability to capture a useful fomi of the docurnent 
i~!?intrZSte stTge during L rendering process. This Is accomplished by decrypting the document contents to 

a clear form at the latest possible stage, ideally m the last step. nprformad bv the 

100691 The SPD decryption model is illustrated in Figure 8. E denotes the encryption function perfomied by the 
so SerDdeiSesthedecryptionperformedattheuse.'ssyste^ 

'p^ortstomfuTa first sequence of transfom,ations 810. D(E(x)) followed by R(D(E(x))). As^ated pre^^^^^^^ 
early decryption leaves the document in a vulnerable state. Ideally, the transfomiations are perfomied in the reverse 
order 812, R'(E(x)) followed by D(R'(E(x))). This postpones deciyption tothe tetest possible time^ H«t«rmin«d bv the 
[0070] The existence of R'. a rendering operation that can be perfomted before decnrpt»n. « determined by the 
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[0070] 
55 following equality: 



D(R'(E(x))) = R(D(E(x))) 



10 



EP 0 999 488 A2 



,ncasethatmoencryptionanddac,VPtion(unctionsareco,nn,utatK,e 
of R' is ensured: 

R'(y) = E(R(D(y)))fory = E(x) 

an insecure network channel such as the Internet. The encrypted ""^^^^"^^'^ 'J^,^^^^^^^ owner. Upon 

I0O721 CMI,. this ld.al moa=l r.«es on whother o, no. the ^^^^^'^.^^^^^.^''M^ 

commutative with the encryption function E. When this happens, 

R'(y) = E(R(D{y))) = R(E(D(y))) = R(y) 



) 



5 



level to the document. rtpiavina decwDtion to the last possible moment employs a 

[0074] As discussed above, one alternative method of delaying on lo in f~ ^^^^ 

Uarization technique that encrypts only the document ^'^^ ^^^^^^^^ S be noted, does 

Vhis possibility is shown in Figure 9. Beginning wrth the clear .^.^/"^^^ state occurring wrthin 

not exist in any single identrfiable location during me '^f^^^^^^l'^^Z^^^^^ 916. The data portion 
step 41 2 of Figure 4). the document Is spirt (step 91 2) mto a ,teta P°^'^/^^^^^ ^lear fom,at portion 91 6. 

914^ polarized (Step 918) using the po anzatK^n ke^^^^^^^^ 

This results in polarized content 924 tha can be ^'^.^^^^^'^^ P°'^""° J?'™" vvholesale enc^rption with the 

erl^ret^. h^^^^^^^^ this scheme will present a ^^^^^^^^^ It should be 

[0076] While certain exemplary embodiments of the invention ^^^^ ''f^^" ^^^^fj^^^^ equally operative 
eoogiized that other fom^s. alternat-~es. modiric^ions, versi^^^^^^^^^^^ 

andwould be apparent to those skilled In the art. For example^ the P^^^-^"^ ^J^^^^ .^^ctional blocks are 

described as software components could be implemented ^^^^f J^^^^^^^^^ and per- 

described herein as separate and independent ''^^^f in the art. 
formed on a single general-purpose ^^l"^}''^^^' ^^^^^^iT^aZ a sX^tecting document, the modifying 

i^jihrrprth^^^^^^^^^^^ 

L use.s public key. creating a rights and P-f-^^^^J^m- 



self-protecting document. 
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r0O781 Accordingtoapreterredembcxlimentofthemethodforusingasolf-piotectingdocu^^^^ 
client segment on a user's system, the step of modifying the encrypted content segment compnses *e subs^^o 
Ssf^rre eT^pted content segment via an encryption algorithm and employing the PO>an2at|on key Further 
,r e^ryX stercornprises the substeps of identifying data infomiation and ^JJl'J.^^^^ 
cr^^ed 3ent segment, separating the data infonnation and the fonriat informatbn '--jj^ J'^^^^^^^^ 
ment encrypting the data information with the polarization key. and combining the encrypted data mformatKx, wrth the 

^^^^^^^^ 
derived from the user's system. 



Claims 

1 . A setf-protecting document embodied as data stored on a tangible storage medium, the self-protecting document 

IS comprising: 

an encrypted content segment containing data representative of document contents; 
a permissions segment; and 
a code segment. 

20 

2. The self-protecting document of claim 1 . wherein the code segment comprises. 

a rights-enforcement subsection; and 
a rendering subsection. 

3. The self-protecting document of claim 1 . wherein the code segment further comprises a polarization subsection. 

4. The self-protecting document of claim 3, wherein the polarization subsectton comprises a polarizatton engine and 
a depolarization engine. 

5. The self-protecting document of claim 1 . wherein the polarization subsection contains executable computer code 
adapted to modify the encrypted content segment. 

6 The self ^>rotecting document of claim 1 , wherein the polarization subsection contains executable computer code 
adapted to modify the encrypted content segment into a polarized content segment. 

7. A method for creating a self-protecting document, comprising the steps of: 
receiving an unencrypted document; 

modifying the unencrypted document to produce an original content segment; 
creating a rights specification; 

:::ntrgrorgrc"Sn^^^^ segment, the rights specification, and the code segment to produce a generic 
self-protecting document. 

8. The method of claim 7. wherein the modKying step comprises the step of enc^rpting the unencrypted document. 

9. A method for using a self-p^^teeting document having an encrypted content segment on a user's system, com- 
prising the steps of: 

'^^,Z':::^Te^'Z^^ segment wKh the polarization key to produce to produce Polar^ed -^^^^^ 
rndSng he polarized content to produce rendered polarized content for output on an output device 

the rendered polarized content with the polarization key to produce rendered clear content, and 
65 sending the rendered clear content to the output device. 

10 The method of claim 9 wherein the step of modifying the encrypted content segment coryprises the substep of 
SnsTcSJ^fll encrypted content segment via an encryptton algorithm employing the polarizat»n key 
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FIG. I 




FIG, 2 

(Prior Art) 
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FIG. 9 
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